File name:

Twitch Viewer Bot.rar

Full analysis: https://app.any.run/tasks/479a08f2-cdb8-4ff0-897f-aa1ebe7d9dcc
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: January 01, 2019, 19:10:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
nanocore
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

B83C37A6FBA14923BEB94505DA2BA74F

SHA1:

3AB469AE03B86826C60E352708C5C764596D901F

SHA256:

CB91FE1B8930FA93F7BFC031AF1D85AA5C174DD50F06D93A152ACD26546AE570

SSDEEP:

12288:115o4eVuzWkhVt5zXb4o6/oStNX6wzP7ZNrFSNqc5JaLIT4EJk1sEyE:ZZBWYtVbhpQXhzrFSD5JaLbEh8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 908)

    • Uses Task Scheduler to run other applications

      • Twitch Viewer Bot.exe (PID: 3656)

    • Changes the autorun value in the registry

      • Twitch Viewer Bot.exe (PID: 3580)
      • Twitch Viewer Bot.exe (PID: 2296)
      • Regasm.exe (PID: 2792)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 1492)

    • NanoCore was detected

      • Twitch Viewer Bot.exe (PID: 3580)

    • Application was dropped or rewritten from another process

      • Twitch Viewer Bot.exe (PID: 3580)
      • Regasm.exe (PID: 2792)
      • Regasm.exe (PID: 564)
      • Twitch Viewer Bot.exe (PID: 3656)
      • Runtime Broker.exe (PID: 2404)
      • Twitch Viewer Bot.exe (PID: 2296)
      • Runtime Broker.exe (PID: 3464)
      • Regasm.exe (PID: 296)
      • Regasm.exe (PID: 932)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Twitch Viewer Bot.exe (PID: 3580)
      • WinRAR.exe (PID: 3024)
      • Twitch Viewer Bot.exe (PID: 3656)
      • Twitch Viewer Bot.exe (PID: 2296)
      • Regasm.exe (PID: 2792)

    • Creates files in the user directory

      • Twitch Viewer Bot.exe (PID: 3580)
      • Twitch Viewer Bot.exe (PID: 3656)
      • Regasm.exe (PID: 2792)

    • Starts itself from another location

      • Twitch Viewer Bot.exe (PID: 3656)

    • Creates files in the program directory

      • Twitch Viewer Bot.exe (PID: 2296)

    • Connects to unusual port

      • Twitch Viewer Bot.exe (PID: 2296)

    • Application launched itself

      • Regasm.exe (PID: 2792)
      • Twitch Viewer Bot.exe (PID: 3580)
      • Regasm.exe (PID: 296)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
12
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start winrar.exe searchprotocolhost.exe no specs twitch viewer bot.exe #NANOCORE twitch viewer bot.exe schtasks.exe no specs runtime broker.exe no specs regasm.exe regasm.exe twitch viewer bot.exe runtime broker.exe no specs regasm.exe no specs regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
296"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exeRuntime Broker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.6.1055.0 built by: NETFXREL2
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
564"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe
Regasm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.6.1055.0 built by: NETFXREL2
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
908"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\version.dll
c:\users\admin\desktop\twitch viewer bot\twitch viewer bot.exe
c:\users\admin\desktop\twitch viewer bot\metroframework.dll
c:\windows\system32\msxml3r.dll
c:\users\admin\desktop\twitch viewer bot\htmlagilitypack.dll
c:\users\admin\desktop\twitch viewer bot\extremenet.dll
932"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe
Regasm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.6.1055.0 built by: NETFXREL2
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
1492schtasks /create /f /sc minute /mo 1 /tn "'Twitch Viewer Bot'" /tr "'C:\Users\admin\AppData\Roaming\Runtime Broker.exe'"C:\Windows\system32\schtasks.exeTwitch Viewer Bot.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
2296"C:\Users\admin\AppData\Local\Temp\Twitch Viewer Bot.exe" C:\Users\admin\AppData\Local\Temp\Twitch Viewer Bot.exe
Twitch Viewer Bot.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\twitch viewer bot.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2404"C:\Users\admin\AppData\Roaming\Runtime Broker.exe" C:\Users\admin\AppData\Roaming\Runtime Broker.exeTwitch Viewer Bot.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
MEDIUM
Description:
mbam.exe
Exit code:
0
Version:
3.1.0.0
Modules
Images
c:\users\admin\appdata\roaming\runtime broker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2792"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe
Runtime Broker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.6.1055.0 built by: NETFXREL2
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
3024"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Twitch Viewer Bot.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3464"C:\Users\admin\AppData\Roaming\Runtime Broker.exe" C:\Users\admin\AppData\Roaming\Runtime Broker.exetaskeng.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
MEDIUM
Description:
mbam.exe
Exit code:
0
Version:
3.1.0.0
Modules
Images
c:\users\admin\appdata\roaming\runtime broker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
1 654
Read events
1 611
Write events
42
Delete events
1

Modification events

(PID) Process:(3024) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3024) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3024) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3024) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Twitch Viewer Bot.rar
(PID) Process:(3024) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3024) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3024) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3024) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3024) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Viewer
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6E0000006E0000002E04000063020000
(PID) Process:(3024) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
6
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3024.33980\Twitch Viewer Bot\eXtremeNet.dll
MD5:
SHA256:
3024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3024.33980\Twitch Viewer Bot\HtmlAgilityPack.dll
MD5:
SHA256:
3024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3024.33980\Twitch Viewer Bot\HtmlAgilityPack.xml
MD5:
SHA256:
3024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3024.33980\Twitch Viewer Bot\MetroFramework.dll
MD5:
SHA256:
3024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3024.33980\Twitch Viewer Bot\Twitch Viewer Bot Tools.exe.config
MD5:
SHA256:
3024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3024.33980\Twitch Viewer Bot\Twitch Viewer Bot Tools.pdb
MD5:
SHA256:
3024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3024.33980\Twitch Viewer Bot\Twitch Viewer Bot Tools.vshost.exe.config
MD5:
SHA256:
3024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3024.33980\Twitch Viewer Bot\Twitch Viewer Bot Tools.vshost.exe.manifest
MD5:
SHA256:
3024WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3024.33980\Twitch Viewer Bot\Twitch Viewer Bot.exe
MD5:
SHA256:
3580Twitch Viewer Bot.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.datbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2296
Twitch Viewer Bot.exe
8.8.8.8:53
Google Inc.
US
malicious
2296
Twitch Viewer Bot.exe
78.57.213.52:1444
HeasheyYT.hopto.org
Telia Lietuva, AB
LT
unknown

DNS requests

Domain
IP
Reputation
HeasheyYT.hopto.org
  • 78.57.213.52
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Twitch Viewer Bot.rar